Symantec Endpoint Protection Analysis doesn't correctly report for SEP14

sdemonte · November 9, 2017, 10:09pm

We have begun rolling out SEP14 and have noticed that the Virus Definition Version does not display the correct information for SEP14 clients. The Symantec registry keys have changed location for the virus definition version and both keys may exist if the machine was upgraded from SEP12 to SEP14.

On A SEP12 machine the current Virus Definition Version property evaluates correctly:

q: if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry as string)) else (if (exists key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" of registry as string)) else ("<Not Installed>"))
A: 20171109, rev. 001
T: 0.356 ms

On a SEP14 Machines you get either “Not installed” if only the new SEP14 registry key exists or it evaluates incorrectly because both SEP12 and SEP14 registry keys are present. A SEP14 machine that had upgraded from SEP12.

Current Symantec Endpoint Protection Analysis (reporting incorrect virus definition versions on SEP14)

q: if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry as string)) else (if (exists key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" of registry as string)) else ("<Not Installed>"))
A: 20120308, rev. 002
T: 0.318 ms

The correct registry key and correct virus def version on same SEP14 machine:

q: if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" of registry as string)) else (if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" of registry as string)) else ("<Not Installed>"))
A: 20171109, rev. 001
T: 0.316 ms

To get the correct output, I have combined the scripts with the SEP14 check first so if the key is there it will report on that one correctly and if its not there will fail over to the SEP12 registry location. Same SEP14 machine.

q: if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" of registry as string)) else if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs" of registry as string)) else if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" of registry as string)) else (if (exists key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" whose (exists value "NAVCORP_70" of it) of registry) then ((if (exists "\" of it AND following text of last "\" of it contains ".") then (preceding text of last "." of following text of last "\" of it & ", rev. " & following text of last "." of following text of last "\" of it) else (it)) of (value "NAVCORP_70" of key "HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs" of registry as string)) else ("<Not Installed>"))
A: 20171109, rev. 001
T: 0.743 ms

Please update the Symantec Endpoint Analysis so it reports correctly for SEP14 and older versions of Symantec.

Thanks,
Scott

TimRice · November 10, 2017, 4:24pm

Nice catch Scott!

We’re just starting to deploy SEP14 ourselves.

sdemonte · February 1, 2018, 9:33pm

Any timeframe for when the Analysis “Symantec Endpoint Protection - Client Information - Windows NT/2000/XP/2003/Vista/2008/7/2008 R2/8/8.1/10/2012/2012 R2/2016 Client Manager for Endpoint Protection” will be updated to work with SEP14?

Also there is a better and smaller SEP14 intelligent Updater available than the 162MB one offered in “653 UPDATE: Outdated Symantec Endpoint Protection Virus Definition Detected (x64) Client Manager for Endpoint Protection.” Its only 62MB in size and works really well.

https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep14

The relevance is also incorrect for SEP14 machines with this 653 Definition Update task/fixlet.

Thanks,
Scott